Cloud Security Alliance Congress 2010 Summary: Part 2 of 4

The Cloud Security Alliance kicked off its first major event November 16-17, 2010 in Orlando, Florida. The CSA Congress 2010 successfully hosted 370 people with talks covering all aspects of cloud security over two days.

For those who were not in attendance at congress, this four-part series will summarize some of the most popular sessions at the event.

Cloud Security Alliance Congress 2010 Summary – Part 2

This is part two in a series of posts summarizing popular sessions at the Cloud Security Alliance Congress 2010 event held in November 2010 in Orlando, Florida.

This talk is part of a continuing series of talks Hoff has given over the years (in the Four Horseman, Frogs, Cloudifornication series). Hoff’s latest talk explores the diversity of clouds, differentiation in networking security transparency/visibility and forensics. Hoff states that “Applications can be more secure in the cloud, if…” with a long list of provisos. You can’t take an application, host it in a cloud model and have it magically become a cloud application. You have to re-architect operational, technological, security and complacence models.

Hoff illustrates cloud computing with a trebuchet. A trebuchet was essentially a combination of a catapult and a ballista. It was an evolutionary application of revolutionary ideas, as is cloud. We have changed servers to pooled resources, networks and storage to clusters and fabrics, and the tightly coupled nature of hardware and software to a loose relationship through virtualization. The cloud model has allowed us to obtain scale enabled by idempotent infrastructure, massive datacenters, agility, virtualization automation and driven by software. However this creates a huge monoculture.

Hoff claims that the friction with cloud computing and security is, in part, an issue of control over your infrastructure. We have a wealth of security however, especially once you add service providers, security becomes less integrated. He asserts that we have “too much security,” not too little. We need to automate, integrate and apply the correct controls to the layers he calls infrastructure, metastructure and infostructure.

Hoff challenges us to manage disruptive innovation before it manages you and not let abstraction become distraction.

Quantum Datum: Information-Centric Security for Cloud Computing

Rich Mogull uses quantum mechanics to parallel the shift from host/application centric-security to information-centric security. He likened quantum entanglement to data loss, where the security state of any datum can only decrease the security of the rest. The more copies of data, the weaker it becomes.

Mogull states: “As we have transitioned along the path from mainframes to client/server to Internet to cloud we have seen an increasing amount of usability at the cost of security.” He points to the issue of sensitive central data being easily dumped into less secure storage and the weakness of local caches.

According to Mogull before data is moved to the cloud it is important to do a risk assessment. Questions must be asked: What would happen if the asset became public, or accessed by the service provider, or became unavailable. Next, data must be labelled and rights applied using technologies like DAM, DLP, EDRM and tokenization.

Mogull emphasises that information must be self-describing and self-defending. Policies and controls must account for business context. Information must be protected as it moves between silos, between locations and changes business contexts. Finally, policies must work consistently through the different defensive layers and technologies we implement.

In the next post we will look at Day 2 of the Cloud Security Alliance Congress 2010 with a keynote by a former regulator from the FTC and what NIST is doing to help the future of cloud computing.